Remote logging with autitd
Wouter van Verre
woutervanverre at outlook.com
Tue Nov 18 12:21:23 UTC 2014
Hi Steve,
Many thanks for your response. I made an attempt to modify the code in order to make it aggregate events.
I am not quite happy with the way the changes ended up looking, nor with how the resulting log file looked.
I do plan to have another go at this in the future, but for now I'm going to move on by using a different set up,
where the plugin will run locally and I am gonna send the parsed data to a remote machine for storage.
I have some questions for that as well, but I will post those in a new thread.
Cheers,
Wouter
----------------------------------------
> From: sgrubb at redhat.com
> To: woutervanverre at outlook.com
> CC: linux-audit at redhat.com
> Subject: Re: Remote logging with autitd
> Date: Thu, 13 Nov 2014 21:44:53 -0500
>
> On Thursday, November 13, 2014 11:23:59 PM Wouter van Verre wrote:
>> However, in my plugin I only seems to receive data from the central (i.e.
>> local) server...
>
> The feed to audispd, right now, is before receiving remote events. Meaning
> that audispd only sees local events and never aggregate events...as things are
> now.
>
>> I draw this conclusion both because I see only one node name, and also
>> because I generate TTY events on the client server only (and they show in
>> /var/log/audit/audit.log as expected), and these do not show in the output
>> from my plugin. Is this the expected behaviour?
>
> Today, yes.
>
>> Are plugins only supposed to receive the locally generated audit events? If
>> it is, is there a way to forward the remotely generated data to a plugin on
>> the central server?
>
> Yes, and it would take some changes to the listening code to insert the events
> at the right point in the event loop.
>
> -Steve
>
More information about the Linux-audit
mailing list